Pulogalamu ya ProHoster > PVS-Studio tsopano ili ku Chocolatey: kuyang'ana Chocolatey kuchokera pansi pa Azure DevOps

PVS-Studio tsopano ili ku Chocolatey: kuyang'ana Chocolatey kuchokera pansi pa Azure DevOps

PVS-Studio tsopano ili ku Chocolatey: kuyang'ana Chocolatey kuchokera pansi pa Azure DevOps
Tikupitiliza kupanga kugwiritsa ntchito PVS-Studio kukhala kosavuta. Wosanthula wathu tsopano akupezeka ku Chocolatey, woyang'anira phukusi wa Windows. Tikukhulupirira kuti izi zithandizira kutumizidwa kwa PVS-Studio, makamaka, mu mautumiki amtambo. Kuti tisapite patali, tiyeni tiwone magwero a Chokoleti yemweyo. Azure DevOps idzachita ngati CI system.

Nawu mndandanda wazolemba zathu zina pamutu wakuphatikiza ndi machitidwe amtambo:

Ndikukulangizani kuti mumvetsere nkhani yoyamba yokhudzana ndi kuphatikiza ndi Azure DevOps, chifukwa pamenepa mfundo zina zasiyidwa kuti zisabwerezedwe.

Choncho, ngwazi za nkhaniyi:

Zithunzi za PVS Studio ndi chida chowunikira ma code omwe adapangidwa kuti azindikire zolakwika ndi zovuta zomwe zingachitike m'mapulogalamu olembedwa mu C, C++, C# ndi Java. Imayenda pa 64-bit Windows, Linux, ndi macOS machitidwe, ndipo imatha kusanthula kachidindo kopangidwira 32-bit, 64-bit, ndi nsanja za ARM zophatikizidwa. Ngati aka ndi nthawi yanu yoyamba kuyesa kusanthula kachidindo kuti muwone mapulojekiti anu, tikupangira kuti mudziwe bwino nkhani za momwe mungawonere mwachangu machenjezo osangalatsa a PVS-Studio ndikuwunika kuthekera kwa chida ichi.

Azure DevOps - mndandanda wa mautumiki amtambo omwe amagwirizanitsa ntchito zonse zachitukuko. Pulatifomuyi ili ndi zida monga Mapaipi a Azure, Azure Boards, Azure Artifacts, Azure Repos, Azure Test Plans, omwe amakupatsani mwayi wofulumizitsa kupanga mapulogalamu ndikuwongolera mtundu wake.

Chokoley ndi woyang'anira phukusi lotseguka la Windows. Cholinga cha pulojekitiyi ndikupangitsa kuti pulogalamu yonse ikhale yokhazikika kuyambira pakuyika mpaka kukonzanso ndikuchotsa pamakina ogwiritsira ntchito Windows.

Za kugwiritsa ntchito Chokoleti

Mutha kuwona momwe mungayikitsire woyang'anira phukusi lokha pa izi kugwirizana. Zolemba zonse zoyika analyzer zilipo kugwirizana Onani Kuyika pogwiritsa ntchito gawo la Chocolatey package manager. Ndibwereza mwachidule mfundo zina kuchokera pamenepo.

Lamulani kukhazikitsa mtundu waposachedwa wa analyzer:

choco install pvs-studio

Lamulani kuti muyike mtundu wina wa phukusi la PVS-Studio:

choco install pvs-studio --version=7.05.35617.2075

Mwachikhazikitso, maziko okha a analyzer, gawo la Core, amaikidwa. Mbendera zina zonse (Standalone, JavaCore, IDEA, MSVS2010, MSVS2012, MSVS2013, MSVS2015, MSVS2017, MSVS2019) zitha kuperekedwa pogwiritsa ntchito --package-parameters.

Chitsanzo cha lamulo lomwe lidzakhazikitsa analyzer ndi plugin ya Visual Studio 2019:

choco install pvs-studio --package-parameters="'/MSVS2019'"

Tsopano tiyeni tiwone chitsanzo cha kugwiritsa ntchito kosavuta kwa analyzer pansi pa Azure DevOps.

kusintha

Ndiroleni ndikukumbutseni kuti pali gawo lina lazinthu monga kulembetsa akaunti, kupanga Chitoliro cha Mangani ndikugwirizanitsa akaunti yanu ndi pulojekiti yomwe ili munkhokwe ya GitHub. nkhani. Kukonzekera kwathu kudzayamba nthawi yomweyo ndikulemba fayilo yosinthira.

Choyamba, tiyeni tiyike choyambitsa choyambitsa, chosonyeza kuti timangoyambitsa kusintha mbuye nthambi:

trigger:
- master

Kenako tiyenera kusankha makina enieni. Pakalipano idzakhala wothandizira Microsoft wokhala ndi Windows Server 2019 ndi Visual Studio 2019:

pool:
  vmImage: 'windows-latest'

Tiyeni tipitirire kumtundu wa fayilo yosinthira (block masitepe). Ngakhale kuti simungathe kukhazikitsa mapulogalamu osagwirizana ndi makina enieni, sindinawonjezere chidebe cha Docker. Titha kuwonjezera Chocolatey ngati chowonjezera cha Azure DevOps. Kuti tichite izi, tiyeni tipite kugwirizana. Dinani Pezani mfulu. Chotsatira, ngati mwaloledwa kale, ingosankhani akaunti yanu, ndipo ngati sichoncho, chitani zomwezo pambuyo pa chilolezo.

PVS-Studio tsopano ili ku Chocolatey: kuyang'ana Chocolatey kuchokera pansi pa Azure DevOps

Apa muyenera kusankha komwe tidzawonjezera kuwonjezera ndikudina batani Sakani.

PVS-Studio tsopano ili ku Chocolatey: kuyang'ana Chocolatey kuchokera pansi pa Azure DevOps

Pambuyo unsembe bwino, dinani Pitani ku bungwe:

PVS-Studio tsopano ili ku Chocolatey: kuyang'ana Chocolatey kuchokera pansi pa Azure DevOps

Tsopano mutha kuwona template ya ntchito ya Chocolatey pazenera ntchito mukamakonza fayilo yosinthira azure-pipelines.yml:

PVS-Studio tsopano ili ku Chocolatey: kuyang'ana Chocolatey kuchokera pansi pa Azure DevOps

Dinani Chocolatey ndikuwona mndandanda wamagawo:

PVS-Studio tsopano ili ku Chocolatey: kuyang'ana Chocolatey kuchokera pansi pa Azure DevOps

Apa tiyenera kusankha kukhazikitsa m'munda ndi matimu. MU Dzina la Fayilo ya Nuspec onetsani dzina la phukusi lofunikira - pvs-studio. Ngati simunatchule za mtunduwo, yatsopanoyo idzakhazikitsidwa, yomwe imatiyenerera kwathunthu. Tiyeni tisindikize batani kuwonjezera ndipo tiwona ntchito yopangidwa mufayilo yosinthira.

steps:
- task: ChocolateyCommand@0
  inputs:
    command: 'install'
    installPackageId: 'pvs-studio'

Kenako, tiyeni tipite ku gawo lalikulu la fayilo yathu:

- task: CmdLine@2
  inputs:
    script:

Tsopano tikufunika kupanga fayilo yokhala ndi chilolezo cha analyzer. Pano PVSNAME и Zithunzi za PVSKEY - mayina amitundu yomwe timayimilira pazosintha. Adzasunga chinsinsi cha PVS-Studio ndi layisensi. Kuti muyike zikhalidwe zawo, tsegulani menyu Zosintha-> Zosintha zatsopano. Tiyeni tipange zosintha PVSNAME kwa login ndi Zithunzi za PVSKEY kwa kiyi ya analyzer. Osayiwala kuchonga bokosilo Sungani chinsinsi ichi chifukwa Zithunzi za PVSKEY. Command kodi:

сall "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe" credentials 
–u $(PVSNAME) –n $(PVSKEY)

Tiyeni timange pulojekitiyi pogwiritsa ntchito fayilo ya bat yomwe ili m'malo osungira:

сall build.bat

Tiyeni tipange chikwatu chomwe mafayilo omwe ali ndi zotsatira za analyzer adzasungidwa:

сall mkdir PVSTestResults

Tiyeni tiyambe kusanthula polojekitiyi:

сall "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe" 
–t .srcchocolatey.sln –o .PVSTestResultsChoco.plog

Timatembenuza lipoti lathu kukhala mawonekedwe a html pogwiritsa ntchito PlogСonverter:

сall "C:Program Files (x86)PVS-StudioPlogConverter.exe" 
–t html –o PVSTestResults .PVSTestResultsChoco.plog

Tsopano muyenera kupanga ntchito kuti muthe kukweza lipoti.

- task: PublishBuildArtifacts@1
  inputs:
    pathToPublish: PVSTestResults
    artifactName: PVSTestResults
    condition: always()

Fayilo yokhazikika yathunthu ikuwoneka motere:

trigger:
- master

pool:
  vmImage: 'windows-latest'

steps:
- task: ChocolateyCommand@0
  inputs:
    command: 'install'
    installPackageId: 'pvs-studio'

- task: CmdLine@2
  inputs:
    script: |
      call "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe" 
      credentials –u $(PVSNAME) –n $(PVSKEY)
      call build.bat
      call mkdir PVSTestResults
      call "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe" 
      –t .srcchocolatey.sln –o .PVSTestResultsChoco.plog
      call "C:Program Files (x86)PVS-StudioPlogConverter.exe" 
      –t html –o .PVSTestResults .PVSTestResultsChoco.plog

- task: PublishBuildArtifacts@1
  inputs:
    pathToPublish: PVSTestResults
    artifactName: PVSTestResults
    condition: always()

Tiyeni tidule Sungani-> Sungani-> Thamangani kuyendetsa ntchitoyo. Tiyeni titsitse lipotilo popita ku tabu ya ntchito.

PVS-Studio tsopano ili ku Chocolatey: kuyang'ana Chocolatey kuchokera pansi pa Azure DevOps

Pulojekiti ya Chocolatey ili ndi mizere 37615 yokha ya C # code. Tiyeni tiwone zina mwa zolakwika zomwe zapezeka.

Zotsatira za mayeso

Chenjezo N1

Chenjezo la analyzer: V3005 Kusintha kwa 'Wopereka' kumaperekedwa kwa iwo okha. CrytpoHashProviderSpecs.cs 38

public abstract class CrytpoHashProviderSpecsBase : TinySpec
{
  ....
  protected CryptoHashProvider Provider;
  ....
  public override void Context()
  {
    Provider = Provider = new CryptoHashProvider(FileSystem.Object);
  }
}

Analyzer adazindikira gawo la kusintha komweko, zomwe sizomveka. Mwachidziwikire, m'malo mwa chimodzi mwazosinthazi payenera kukhala china. Chabwino, kapena iyi ndi typo, ndipo ntchito yowonjezera ikhoza kuchotsedwa.

Chenjezo N2

Chenjezo la analyzer: V3093 [CWE-480] Wogwiritsa ntchito '&' amawunika machitidwe onse awiri. Mwina wogwiritsa ntchito '&&' wamfupi akuyenera kugwiritsidwa ntchito m'malo mwake. Platform.cs 64

public static PlatformType get_platform()
{
  switch (Environment.OSVersion.Platform)
  {
    case PlatformID.MacOSX:
    {
      ....
    }
    case PlatformID.Unix:
    if(file_system.directory_exists("/Applications")
      & file_system.directory_exists("/System")
      & file_system.directory_exists("/Users")
      & file_system.directory_exists("/Volumes"))
      {
        return PlatformType.Mac;
      }
        else
          return PlatformType.Linux;
    default:
      return PlatformType.Windows;
  }
}

Kusiyana kwa opareta & kuchokera kwa woyendetsa && ndiye kuti ngati mbali yakumanzere ya mawuwo ndi zabodza, ndiye mbali yakumanja idzawerengedwabe, yomwe ikutanthauza kuyitana njira zosafunikira system.directory_lipo.

M'chidutswa chomwe chimaganiziridwa, ichi ndi cholakwika chaching'ono. Inde, mkhalidwewu ukhoza kukonzedwa mwakusintha & & wogwiritsa ntchito ndi &&, koma kuchokera kumalingaliro othandiza, izi sizikhudza chilichonse. Komabe, nthawi zina, chisokonezo pakati pa & ndi && chingayambitse mavuto aakulu pamene mbali yolondola ya mawuwo ikuchitidwa ndi zikhalidwe zolakwika / zosayenera. Mwachitsanzo, muzosonkhanitsa zathu zolakwika, kudziwika pogwiritsa ntchito matenda a V3093, pali vuto ili:

if ((k < nct) & (s[k] != 0.0))

Ngakhale index k ndizolakwika, zidzagwiritsidwa ntchito kupeza zinthu zingapo. Zotsatira zake, chosiyana chidzaponyedwa IndexOutOfRangeException.

Machenjezo N3, N4

Chenjezo la analyzer: V3022 [CWE-571] Mawu akuti 'shortPrompt' amakhala oona nthawi zonse. InteractivePrompt.cs 101
Chenjezo la analyzer: V3022 [CWE-571] Mawu akuti 'shortPrompt' amakhala oona nthawi zonse. InteractivePrompt.cs 105

public static string 
prompt_for_confirmation(.... bool shortPrompt = false, ....)
{
  ....
  if (shortPrompt)
  {
    var choicePrompt = choice.is_equal_to(defaultChoice) //1
    ?
    shortPrompt //2
    ?
    "[[{0}]{1}]".format_with(choice.Substring(0, 1).ToUpperInvariant(), //3
    choice.Substring(1,choice.Length - 1))
    :
    "[{0}]".format_with(choice.ToUpperInvariant()) //0
    : 
    shortPrompt //4
    ? 
    "[{0}]{1}".format_with(choice.Substring(0,1).ToUpperInvariant(), //5
    choice.Substring(1,choice.Length - 1)) 
    :
    choice; //0
    ....
  }
  ....
}

Pankhaniyi, pali malingaliro odabwitsa kumbuyo kwa opareshoni ya ternary. Tiyeni tiwone mwatsatanetsatane: ngati chikhalidwe chomwe ndidachilemba ndi nambala 1 chakwaniritsidwa, ndiye kuti tipitilira ku chikhalidwe cha 2, chomwe chimakhala nthawi zonse. koona, zomwe zikutanthauza kuti mzere 3 udzaperekedwa. Ngati chikhalidwe 1 chikhala chabodza, ndiye kuti tipita ku mzere wolembedwa ndi nambala 4, momwemonso nthawi zonse. koona, zomwe zikutanthauza kuti mzere wa 5 udzachitidwa. Choncho, zikhalidwe zolembedwa ndi ndemanga 0 sizidzakwaniritsidwa, zomwe sizingakhale ndendende zomwe zimagwira ntchito zomwe wolemba mapulogalamu amayembekezera.

Chenjezo N5

Chenjezo la analyzer: V3123 [CWE-783] Mwina wogwiritsa ntchito '?:' amagwira ntchito mosiyana ndi momwe amayembekezera. Chofunika chake ndi chochepa kusiyana ndi kufunikira kwa ogwira ntchito ena momwe alili. Zosankha.cs 1019

private static string GetArgumentName (...., string description)
{
  string[] nameStart;
  if (maxIndex == 1)
  {
    nameStart = new string[]{"{0:", "{"};
  }
  else
  {
    nameStart = new string[]{"{" + index + ":"};
  }
  for (int i = 0; i < nameStart.Length; ++i) 
  {
    int start, j = 0;
    do 
    {
      start = description.IndexOf (nameStart [i], j);
    } 
    while (start >= 0 && j != 0 ? description [j++ - 1] == '{' : false);
    ....
    return maxIndex == 1 ? "VALUE" : "VALUE" + (index + 1);
  }
}

Diagnostic inagwira ntchito pamzerewu:

while (start >= 0 && j != 0 ? description [j++ - 1] == '{' : false)

Kuyambira kusintha j mizere ingapo pamwambapa imayambitsidwa mpaka zero, wogwiritsa ntchito ternary adzabweza mtengowo zabodza. Chifukwa cha chikhalidwe ichi, thupi la lupu lidzaphedwa kamodzi kokha. Zikuwoneka kwa ine kuti kachidindo kameneka sikamagwira ntchito monga momwe wopanga mapulogalamu amafunira.

Chenjezo N6

Chenjezo la analyzer: V3022 [CWE-571] Mawu akuti 'installedPackageVersions.Count != 1' amakhala oona nthawi zonse. NugetService.cs 1405

private void remove_nuget_cache_for_package(....)
{
  if (!config.AllVersions && installedPackageVersions.Count > 1)
  {
    const string allVersionsChoice = "All versions";
    if (installedPackageVersions.Count != 1)
    {
      choices.Add(allVersionsChoice);
    }
    ....
  }
  ....
}

Pali chisa chodabwitsa apa: installPackageVersions.Count != 1zomwe zidzakhalapo nthawi zonse koona. Nthawi zambiri chenjezo loterolo likuwonetsa zolakwika zomveka mu code, ndipo nthawi zina zimangowonetsa kuwunika kofunikira.

Chenjezo N7

Chenjezo la analyzer: V3001 Pali mawu ang'onoang'ono ofanana 'commandArguments.contains("-apikey")' kumanzere ndi kumanja kwa '||' woyendetsa. ArgumentsUtility.cs 42

public static bool arguments_contain_sensitive_information(string
 commandArguments)
{
  return commandArguments.contains("-install-arguments-sensitive")
  || commandArguments.contains("-package-parameters-sensitive")
  || commandArguments.contains("apikey ")
  || commandArguments.contains("config ")
  || commandArguments.contains("push ")
  || commandArguments.contains("-p ")
  || commandArguments.contains("-p=")
  || commandArguments.contains("-password")
  || commandArguments.contains("-cp ")
  || commandArguments.contains("-cp=")
  || commandArguments.contains("-certpassword")
  || commandArguments.contains("-k ")
  || commandArguments.contains("-k=")
  || commandArguments.contains("-key ")
  || commandArguments.contains("-key=")
  || commandArguments.contains("-apikey")
  || commandArguments.contains("-api-key")
  || commandArguments.contains("-apikey")
  || commandArguments.contains("-api-key");
}

Wopanga mapulogalamu omwe adalemba gawo ili la code adakopera ndikunamiza mizere iwiri yomaliza ndikuyiwala kusintha. Chifukwa cha izi, ogwiritsa ntchito Chocolatey sanathe kugwiritsa ntchito chizindikirocho apikey njira zina ziwiri. Mofanana ndi magawo omwe ali pamwambapa, nditha kupereka zotsatirazi:

commandArguments.contains("-apikey=");
commandArguments.contains("-api-key=");

Zolakwa za Copy-paste zimakhala ndi mwayi waukulu wowonekera posachedwa mu polojekiti iliyonse yokhala ndi code code yochuluka, ndipo chimodzi mwa zida zabwino kwambiri zothanirana nazo ndi static analysis.

PS Ndipo monga nthawi zonse, cholakwika ichi chimakonda kuwonekera kumapeto kwa mizere yambiri :). Onani chosindikizira "Zotsatira za mzere womaliza".

Chenjezo N8

Chenjezo la analyzer: V3095 [CWE-476] Chinthu cha 'installedPackage' chidagwiritsidwa ntchito chisanatsimikizidwe molakwika. Yang'anani mizere: 910, 917. NugetService.cs 910

public virtual ConcurrentDictionary<string, PackageResult> get_outdated(....)
{
  ....
  var pinnedPackageResult = outdatedPackages.GetOrAdd(
    packageName, 
    new PackageResult(installedPackage, 
                      _fileSystem.combine_paths(
                        ApplicationParameters.PackagesLocation, 
                        installedPackage.Id)));
  ....
  if (   installedPackage != null
      && !string.IsNullOrWhiteSpace(installedPackage.Version.SpecialVersion) 
      && !config.UpgradeCommand.ExcludePrerelease)
  {
    ....
  }
  ....
}

Kulakwitsa kwachikale: chinthu choyamba installPackage imagwiritsidwa ntchito ndikufufuzidwa null. Kuzindikira uku kumatiuza za imodzi mwamavuto awiri mu pulogalamuyi: mwina installPackage osafanana konse null, zomwe ndi zokayikitsa, ndiyeno chekeyo ndi yosafunikira, kapena titha kupeza cholakwika chachikulu mu code - kuyesa kupeza zongoyerekeza.

Pomaliza

Chifukwa chake tatenganso gawo lina laling'ono - tsopano kugwiritsa ntchito PVS-Studio kwakhala kosavuta komanso kosavuta. Ndikufunanso kunena kuti Chocolatey ndi woyang'anira phukusi wabwino wokhala ndi zolakwika zochepa mu code, zomwe zingakhale zochepa kwambiri pogwiritsa ntchito PVS-Studio.

Tikukuitanani скачать ndikuyesa PVS-Studio. Kugwiritsa ntchito pafupipafupi static analyzer kumapangitsa kuti nambala yanu ikhale yodalirika komanso yodalirika komanso imathandizira kupewa ambiri. zofooka za tsiku la zero.

PS

Tisanasindikizidwe, tidatumiza nkhaniyi kwa opanga Chocolatey, ndipo adayilandira bwino. Sitinapeze chilichonse chovuta, koma iwo, mwachitsanzo, adakonda cholakwika chomwe tidapeza chokhudzana ndi kiyi ya "api-key".

PVS-Studio tsopano ili ku Chocolatey: kuyang'ana Chocolatey kuchokera pansi pa Azure DevOps

Ngati mukufuna kugawana nkhaniyi ndi omvera olankhula Chingerezi, chonde gwiritsani ntchito ulalo womasulira: Vladislav Stolyarov. PVS-Studio Tsopano Ili mu Chocolatey: Kuyang'ana Chocolatey pansi pa Azure DevOps.

Source: www.habr.com

Kuwonjezera ndemanga